Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Implementation Guide
for Small- and Medium-Sized
Enterprises (SMEs)
I nventory of Authorized
Penetration Tests & Red & Unauthorized Devices
Team Exercises Inventory of Authorized
1
20 2 & Unauthorized Software
Incident Response Secure Configurations for
& Management 19 3 Hardware and Software
Application Continuous Vulnerability
Software Security 18 4 Assessment & Remediation
Contents
Introduction....................................................................................................................2
Overview..........................................................................................................................3
Phase 1: Know your environment............................................................................4
Phase 2: Protect your assets.......................................................................................7
Phase 3: Prepare your organization..................................................................... 10
Helpful Resources....................................................................................................... 12
Acknowledgments..................................................................................................... 14
1
CIS Controls Implementation Guide for SMEs
Introduction
Credit card breaches, identity theft, ransomware, theft of intellectual property, loss of
privacy, denial of service – these cyber incidents have become everyday news. Victims include
some of the largest, best-funded, and most security-savvy enterprises: government agencies,
major retailers, financial services companies, even security solution vendors.
Many of the victims have millions of dollars to allocate for cybersecurity, yet still fall short in
their efforts to defend against common attacks. What’s even more disturbing is that many
of the attacks could have been prevented by well-known security practices such as regular
patching and secure configurations.
So what are the rest of us supposed to do? How do organizations with small budgets and
limited staff respond to the continuing cyber problem? This guide seeks to empower the
owners of small and medium-sized enterprises (SMEs) to help them protect their businesses
with a small number of high priority actions based on the Center for Internet Security’s
Critical Security Controls (CIS Controls). The CIS Controls are a comprehensive set of
cybersecurity best practices developed by IT experts that address the most common threats
and vulnerabilities.
Phishing attacks –
Email is designed to look like legitimate correspondence that tricks recipients into clicking on
a link that installs malware on the system.
Ransomware –
Types of malicious software block access to a computer so that criminals can hold your
data for ransom.
This guide contains a small sub-set of the CIS Controls specifically selected to help protect
SMEs. Since such resources change from time to time, please contact CIS or check out our
website for the most recent information (www.cisecurity.org).
2
CIS Controls Implementation Guide for SMEs
Overview
Security and good IT management go hand-in-hand: a well-managed network is more
difficult to attack than a poorly managed one. To understand how well your organization
is managing its cybersecurity, start by asking yourself these questions:
To address each of these questions, this Guide lists a variety of free or low-cost tools, as
well as procedures you can implement to improve your security. The list is not meant to be
exhaustive, but it is representative of the wide variety of resources available at low/no cost
that any SME can leverage to improve its cybersecurity.
To help you prioritize your efforts, this Guide recommends using a phased approach. Phase
1 involves knowing what’s on your network and understanding your cybersecurity baseline.
Phase 2 focuses on protecting your security baseline through education and prevention.
Phase 3 helps your organization to prepare in advance for disruptive events.
Each phase has specific questions that you will want to answer, along with action items
and tools that will help you achieve your goals. You may want to assign one person in your
organization to be the cybersecurity leader to report regularly on security activities.
3
CIS Controls Implementation Guide for SMEs
Here are a few key questions that are important to think about:
To protect your business, you need to understand the value of your data and how it can be
used. You may also be required by law to protect certain types information such as credit
card and health information. Here are some examples of data you will want to identify
and inventory:
4
CIS Controls Implementation Guide for SMEs
• If on a wireless network, check your router to see which devices are connected and
password-protected by using strong encryption (WPA2).
• For larger networks, use a network scanner (commercial or open source) to identify all
the devices on your network.
• Enable Dynamic Host Configuration Protocol (DHCP) logging on your networking devices
to allow for easy tracking of all devices that have been on your network. (Consult your IT
experts if you need assistance with this.)
• For smaller organizations, keep an inventory list of your hardware assets (computers,
servers, laptops, printers, phones, etc.) and critical data on a spreadsheet, which you
should update whenever there are new devices or data added.
Cost-effective solutions:
• Create an inventory of applications that are running on your system and the web services
or cloud solutions your organization uses:
◦◦ Manually check the install/uninstall features of the operating system to get a list of
software that has been installed on the system.
◦◦ Periodically check to see what software is running on your systems using available
inventory or auditing tools.
◦◦ Check with your employees to identify which online services, such as online file-sharing
platforms or HR systems, they are using as part of their job.
5
CIS Controls Implementation Guide for SMEs
Cost-effective solutions:
• Applocker: Free Microsoft® Windows tool to identify and restrict the software that is
allowed to run (https://technet.microsoft.com/en-us/library/dd759117(v=ws.11).aspx)
• Netwrix: Variety of free tools to identify information about administrative access on your
systems (https://www.netwrix.com)
• OpenAudIT: Inventory applications and software on workstation servers and network
devices (http://www.open-audit.org/)
6
CIS Controls Implementation Guide for SMEs
• Periodically run Microsoft® Baseline Security Analyzer to identify which patches are missing
for Windows products and what configuration changes need to be made.
• Ensure that your browsers and all plugins are up-to-date. Consider using a browser that
automatically updates itself, such as Google Chrome™ browser.
• Run up-to-date anti-malware software to protect systems from malware. Utilize cloud-
based lookup capabilities to check for updates if your anti-malware product supports this.
• Limit the use of removable media (USBs, CDs, DVDs) to those with an approved business
need.
• Deploy the Enhanced Mitigation Experience Toolkit (EMET) on Microsoft® Windows
machines to protect against code-based vulnerabilities.
(https://www.microsoft.com/en-us/download/details.aspx?id=50766)
• Require the use of multi-factor authentication where available, especially for remotely
accessing your internal network or email. For example, this could include the use of secure
tokens or mobile text options as an extra layer of security beyond just passwords.
• Change default passwords for all applications, operating systems, routers, firewalls,
wireless access points, printer/scanners, and other devices when adding them to the
network.
• Use encryption for secure remote management of your devices and to pass sensitive
information.
• Encrypt hard drives, laptops, and mobile devices that contain sensitive information.
• For systems processing highly sensitive information, implement the recommendations from
the CIS Benchmarks (www.cisecurity.org) to securely configure devices and applications.
7
CIS Controls Implementation Guide for SMEs
Cost-effective solutions:
What to communicate:
• Identify those within your organization who have access to or who handle sensitive data,
and ensure they understand their role in protecting that information.
• Two very common attack methods include phishing email and phone call attacks. Be
sure your employees can explain and identify common indicators of an attack. These can
include someone creating a strong sense of urgency, someone asking for very sensitive or
private information, someone using confusing or technical terms, and someone asking the
employee to ignore or bypass security procedures.
• Ensure that everyone knows that common sense is ultimately your best defense.
If something seems odd, suspicious, or too good to be true, it is most likely an attack.
• Encourage the use of strong, unique pass-phrases for every account and/or two-step
verification when possible.
• Require everyone to use “screen lock” on their mobile devices.
• Make sure all staff keep their devices and software updated and current.
8
CIS Controls Implementation Guide for SMEs
How to communicate:
• Engage your employees at an emotional level, making sure they understand how to
protect your organization and how this protection also applies to their personal lives.
• Be sure all staff understand that cybersecurity is an important part of their job.
• Disseminate to your staff free cybersecurity awareness materials, such as the SANS OUCH!
newsletter and MS-ISAC’s monthly cyber-tip newsletters.
• Use online resources such as the National Cyber Security Alliance’s StaySafeOnline.org.
Cost-effective solutions:
• SANS Ouch! Newsletter, Video of the Month, Daily Tips and Posters
(http://securingthehuman.sans.org/ouch/archives)
• MS-ISAC Monthly Newsletters (https://msisac.cisecurity.org/newsletters/)
• Staysafeonline.com
9
CIS Controls Implementation Guide for SMEs
• Do you know the last time your critical files were backed up?
• Do you periodically verify that the backups are complete?
• Do you know who to contact if an incident occurs?
Managing backups
Making and managing backups can be a tedious task; however, it is one of the best ways
to secure your data, recover after an incident, and get your business back in order. This is
especially crucial considering that ransomware malware can encrypt all your files and hold
your data for ransom. A robust response plan, complemented by current and maintained
backups, are the best protections when dealing with a cyber incident.
Cost-effective solutions:
• Microsoft “Backup and Restore”: Backup utility tool installed on Microsoft® operating
systems (https://support.microsoft.com/en-us/help/17127/windows-back-up-restore)
• Apple Time Machine: Backup tool installed on Apple® operating systems
(https://support.apple.com/en-us/HT201250)
• Amanda Network Backup: Free, open source backup tool (http://www.amanda.org/)
• Bacula: Open source network backup and recovery solution (http://blog.bacula.org/)
10
CIS Controls Implementation Guide for SMEs
To be prepared, you need to know what resources are available in the event of an incident.
You may be able to call on internal IT staff to help, or maybe you rely on a third party
to provide incident management services. Either way, you should know the roles and
expectations of anyone responsible for incident management before an event occurs.
• Identify those within your organization who will serve as the lead in case of an incident.
• Have contact information available for IT staff and/or third-party organizations.
• Join InfraGard or other associations that focus on sharing information and promoting
cybersecurity.
• Keep a list of external contacts as part of your plan. These could include legal counsel,
insurance agents if you carry cyber-risk coverage, and security consultants.
• Familiarize yourself with your state’s data breach notification laws.
11
CIS Controls Implementation Guide for SMEs
Helpful Resources
CIS® (Center for Internet Security)
CIS is a forward-thinking nonprofit entity that harnesses the power of the global IT
community to safeguard private and public organizations against cyber threats. Our
CIS Controls and CIS Benchmarks are global standards and recognized best practices for
securing IT systems and data against the most pervasive attacks. These proven guidelines
are continuously refined and verified by a volunteer global community of experienced
IT professionals. CIS is home to the Multi-State Information Sharing & Analysis Center
(MS-ISAC®), the go-to resource for cyber threat prevention, protection, response, and recovery
for U.S. State, Local, Tribal, and Territorial governments. (www.cisecurity.org)
SANS Institute
SANS is the largest source for information security training (https://www.sans.org/find-
training/) and security certification (http://www.giac.org) in the world. It also develops,
maintains, and makes available, at no cost, the largest collection of research documents
about various aspects of information security, and it operates the Internet’s early warning
system - the Internet Storm Center (https://isc.sans.edu/). Several documents address incident
handling. (https://www.sans.org/reading-room/whitepapers/incident)
SANS also offers a cybersecurity glossary of terms. (https://www.sans.org/security-resources/
glossary-of-terms/)
12
CIS Controls Implementation Guide for SMEs
All references to tools or other products in this document are provided for informational purposes only,
and do not represent the endorsement by CIS of any particular company, product, or technology.
Contact Information
CIS
31 Tech Valley Drive
East Greenbush, NY 12061
518.266.3460
controlsinfo@cisecurity.org
13
CIS Controls Implementation Guide for SMEs
Acknowledgments
The Center for Internet Security gratefully acknowledges the contributions provided by:
and other expert volunteers from the CIS Community for the content and editing
of this guide.
14